security
security copied to clipboard
opensearch-project
Request: Make RPM Installation of Demo Configuration Optional
Is your feature request related to a problem? Please describe
The RPMs are very useful and take care of a lot of important details making installation much more streamline. Unfortunately, they automatically install the demo configuration. Even if you have your own configuration ready to go, you must set an OPENSEARCH_INITIAL_ADMIN_PASSWORD and let it go through all those steps only to delete everything it does and install your own configuration.
Describe the solution you'd like
To be honest, I do not the think the RPM should be installing the demo configuration at all by default. But, if that is set in stone, then it should at least take the DISABLE_INSTALL_DEMO_CONFIG variable that is used throughout various parts within the opensearch ecosystem.
Describe alternatives you've considered
No response
Additional context
I think it is a really bad workaround, but I just discovered that if you set a weak password the demo installation script will fail out and the package has installed enough by that point to be usable. It would be preferable to have a clean way to do it though.
Just to add context in deb/rpm packages, the demo install script runs during installation, not during startup. It is logical to move this logic to run from postinstall to systemd service.
This was suggested to security team when the implementation happens in 2.12.0, that we can move such behavior to systemd. But due to concerns of breaking the existing systemd service file, and time concerns, this change is not implemented at the time. @DarshitChanpura @derek-ho
- https://github.com/opensearch-project/security/issues/3916
I did at least skim through that thread while digging into this. That discussion seemed to revolve around where to have the variable set and when the demo install is ran. It seems set on running the demo install automatically. And my issue is with the demo install being ran at all. To me, running the demo install should be an additional process ran by the user if they chose to, not by default. Or at least have a way to opt out of it like the disable install variable used elsewhere.
Without knowing the history behind the decision to run the demo install automatically it is very confusing to me. It seems like the RPM is being treated as just a way to spin up a local demo rather than something that may be used to install the application on a production system. I have not come across another RPM that does it this way. It has always always been install the rpm then run these other commands to get started.
[Triage] @DarshitChanpura Can you take a look at this issue and see if this is the appropriate repo for this issue? Please transfer back to opensearch-build if the changes to not run the install_demo_configuration script would take place in opensearch-build
RPM installation should run demo install script only if a DISABLE_INSTALL_DEMO_CONFIG is set to false, i.e. this block should be modified to do so.
See docker entrypoint for example: https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/config/opensearch/opensearch-docker-entrypoint-2.x.sh#L33-L49
Since this issue is not related to security, but related to distribution setup, @opensearch-project/triage please transfer this issue back to opensearch-build repo.
@DarshitChanpura would you be able to make the small change to this script to allow this configuration?
I have using my own Ansible playbook to automate the deploying and upgrading process of OpenSearch, the demo configuration is meaningless for me. And I have to add a task to remove those demo configs to make things work.
2.12.0 requiring admins to set OPENSEARCH_INITIAL_ADMIN_PASSWORD also breaks my playbook and makes things more complex.
